Controller obligations: accountability

This is the fifth post in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This update will focus on how the Bill would change the accountability framework under the UK GDPR.

The Bill largely makes the accountability framework less prescriptive, reducing some of the accountability obligations on controllers.

Senior responsible individual

The UK GDPR currently requires certain organisations to appoint a Data Protection Officer (DPO) to assist the organisation with its internal compliance, data protection obligations, Data Protection Impact assessments, and to be a point of contact with data subjects and the Information Commissioner’s Office (ICO).

The Bill removes the obligation for organisations to appoint a DPO. Instead, it requires certain businesses and organisations to appoint a ‘senior responsible individual’ (SRI). The SRI’s obligations are similar to the DPO’s in many ways, but without such strict independence requirements. A controller will need to appoint an SRI if they are a public body or an organisation that carries out data processing that is likely to result in a high risk to the rights and freedoms of individuals. For example, an organisation would need an SRI if it were processing special-category personal data, such as an individual’s health data or racial origin.

It may seem like the role of SRI is replacing the DPO role, but John Edwards, the Information Commissioner, publicly stated that these proposed reforms do not make the DPO’s role less important, although it will be interesting to see how this plays out in practice.

Who could you appoint as SRI?

An SRI must be part of an organisation’s senior management. The Bill states that this must be an individual who:

‘plays significant roles in the making of decisions about how the whole or a substantial part of [the organisation’s] activities are to be managed or organised.’

There is a marked difference between an individual who could be appointed as an organisation’s SRI as opposed to their DPO. The SRI must be embedded in that organisation’s management, whereas the DPO is required to be somewhat autonomous, hence why many organisations have external DPOs.

Responsibilities of the SRI

The Bill lists the responsibilities of an SRI. The SRI must either perform these tasks themselves or ensure that they are performed by another person. The tasks are to:

• monitor the controller’s compliance with the data protection legislation;
• ensure that the controller has measures in place (and reviews or updates those measures) to ensure compliance with the data protection legislation;
• inform and advise the controller, its employees, and its processors of their obligations under the data protection legislation;
• organise training for those of the controller’s employees who process personal data;
• deal with complaints made to the controller connected to data processing;
• deal with personal data breaches;
• co-operate with the Information Commissioner on the controller’s behalf; and
• be the point of contact with the Information Commissioner on data processing issues.

Record of data processing

The Bill would remove the record-keeping requirements currently in place under the UK GDPR for all controllers except those who carry out processing of personal data, which is likely to result in a high risk to the rights and freedoms of individuals. For those controllers, there is an obligation to keep ‘appropriate records’ (in contrast to the current record-keeping obligations, applicable to all controllers, which are more prescriptive about the records a controller must keep).

The Bill does contain some minimum requirements as to the records the relevant controllers should be maintaining. In summary, the records must include information about:

• where the data is;
• the purposes of the processing;
• information about who the controller has shared (or intends to share) data with;
• how long the controller intends to retain the data;
• information about any special category data; and
• information about any data relating to criminal convictions and offences or related security measures.

In the first iteration of this Bill, controllers who employed fewer than 250 individuals were exempt from this obligation (unless the data processing was likely to result in a high risk to the rights and freedoms of data subjects). This exemption has been removed from the current version of the Bill.

Impact Assessments

Under the Bill, data protection impact assessments would no longer be mandatory. This has been replaced by the simplified obligation to make an ‘assessment of high-risk processing’. To do this, the controller will need to create a document that includes at least:

• a summary of the purpose of the processing;
• an assessment of whether the processing is necessary;
• an assessment of the risks to individuals; and
• a description of how the controller proposes to mitigate those risks.

The Bill obliges the Information Commissioner to give some examples of the types of processing it considers to be high-risk and therefore triggers this assessment. Once the Information Commissioner has produced these examples, we will have a clearer idea of when this obligation is likely to apply.

Key Takeaways

• Organisations that will need to appoint an SRI under this Bill should start considering what steps they need to take to identify and appoint an SRI if this Bill becomes law. Organisations may also want to consider how the role of their DPO will shift.
• Organisations should identify whether they are under an obligation to maintain a record of their data processing and ensure such records contain the required information.
• When carrying out high-risk processing, organisations should be aware that they will need to carry out an assessment of this processing. The point at which this obligation is triggered will become clearer once the Information Commissioner has produced examples of such high-risk processing.

To access the full catalogue of articles in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers, visit out Data Reform: How could the upcoming changes affect your business? homepage.